> For the complete documentation index, see [llms.txt](https://blog.s1rn3tz.ovh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.s1rn3tz.ovh/computer-forensic/memoire-volatile.md).

# Mémoire volatile

## Volatility

Volatility est un framework open source pour l'informatique légale et en particulier le recouvrement de mémoire, utilisé dans la réponse à incident informatique et l'analyse des logiciels malveillants.

\<profile> = dépend du système analysé.

\[] = optionnel.

### Volatility2

#### Découverte de profil

```bash
vol -f dump.dmp imageinfo
```

#### hash et mot de passe

```bash
vol --profile=<profile> hashdump -f file.dmp #Permet de récupérer les hash des utilisateurs
vol --profile=<profile> cachedump -f file.dmp #Permet de récupérer les caches des hash dans les registres
vol --profile=<profile> lsadump -f file.dmp #Récupérer les infos LSA
```

#### Processus

```bash
vol --profile=<profile> pstree -f file.dmp # récupérer l'arbre des processus
vol --profile=<profile> pslist -f file.dmp # récupérer la liste des processus
vol --profile=<profile> psscan -f file.dmp # récupérer les processus cachés
vol --profile=<profile> psxview -f file.dmp # récupérer la liste des processus cachés
```

#### Lignes de commande

```bash
vol --profile=<profile> cmdline -f file.dmp #arguments des commandes
vol --profile=<profile> cmdscan -f file.dmp #Scan les lignes de commandes passées
vol --profile=<profile> consoles -f file.dmp #historique des commandes passées
```

#### Variables d'environnement

```bash
vol --profile=<profile> envars -f file.dmp [--pid <pid>] #Affiche les variables d'environnement
vol --profile=<profile> -f file.dmp linux_psenv [-p <pid>] 
```

#### Privilèges

```bash
#Get enabled privileges of some processes
vol --profile=<profile> privs --pid=3152 -f file.dmp | grep Enabled
#Get all processes with interesting privileges
vol --profile=<profile> privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
```

#### SIDs

```bash
vol --profile=<profile> getsids -f file.dmp #récupérer le SID de chaque processus
vol --profile=<profile> getservicesids -f file.dmp #récupérer le SID de chaque service
```

#### DLL

```bash
vol --profile=<profile> dlllist -f file.dmp #lister les DLL
vol --profile=<profile> dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump un DLL spécifique
```

#### Services

```bash
vol --profile=<profile> svcscan -f file.dmp #scan des services
vol --profile=<profile> getsvcsids -f file.dmp #récupérer les SIDs des services
```

#### Réseau

```bash
vol --profile=<profile> -f file.dmp netscan #scan réseau
vol --profile=<profile> -f file.dmp connections #lister les connexions
vol --profile=<profile> -f file.dmp connscan #lister les connexions
vol --profile=<profile> -f file.dmp sockscan #lister les sockets ouverts
vol --profile=<profile> -f file.dmp sockets #Scanner les sockets
```

#### Registres

```bash
vol --profile=<profile> -f file.dmp hivescan
vol --profile=<profile> -f file.dmp printkey
```

#### Mutexes

```bash
vol --profile=<profile> mutantscan -f file.dmp
vol --profile=<profile> -f file.dmp handles -p <PID> -t mutant
```

#### Timeline

```bash
vol --profile=<profile> -f file.dmp timeliner
```

#### Drivers

```bash
vol --profile=<profile> -f file.dmp driverscan
```

#### Historique internet explorer

```bash
vol --profile=<profile> -f file.dmp iehistory
```

#### Textes dans les bloc note

```bash
vol --profile=<profile> -f file.dmp notepad
```

#### Screenshot

```bash
vol --profile=<profile> -f file.dmp screenshot
```

#### Liens symboliques

```bash
vol --profile=<profile> -f file.dmp symlinkscan
```

#### Dump

```bash
vol --profile=<profile> -f file.dmp filescan
vol --profile=<profile> -f file.dmp dumpfiles -n --dump-dir=<path>
```

### Volatility3

#### OS info

```bash
vol -f file.dmp windows.info[.Info]
```

#### Hash et mots de passe

```bash
vol.py -f file.dmp windows.hashdump[.Hashdump] #Grab common windows hashes (SAM+SYSTEM)
vol.py -f file.dmp windows.cachedump[.Cachedump] #Grab domain cache hashes inside the registry
vol.py -f file.dmp windows.lsadump[.Lsadump] #Grab lsa secrets
```

#### Processus

```bash
vol -f file.dmp windows.pstree[.PsTree]
vol -f file.dmp windows.pslist[.PsList]
vol -f file.dmp windows.psscan[.PsScan]
```

#### Lignes de commande

```bash
vol -f file.dmp windows.cmdline[.CmdLine]
```

#### Variables d'environnement

```bash
vol -f file.dmp windows.envars[.Envars] [--pid=<pid>]
```

#### Privilèges

```bash
vol -f file.dmp windows.privileges.Privs [--pid <pid>]
vol -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"
```

#### SIDs

```bash
vol -f file.dmp windows.getsids.GetSIDs [--pid <pid>] 
vol -f file.dmp windows.getservicesids.GetServiceSIDs 
```

#### DLL

```bash
vol -f file.dmp windows.dlllist[.DllList] [--pid <pid>
```

#### Services

```bash
vol -f file.dmp windows.svcscan[.SvcScan]
vol -f file.dmp windows.getservicesids[.GetServiceSIDs]
```

#### Réseau

```bash
vol -f file.dmp windows.netscan[.NetScan]
```

#### Registres

```bash
vol -f file.dmp windows.registry.hivelist[.HiveList]
vol -f file.dmp windows.registry.printkey[.PrintKey] 
```

#### Mutexes

```bash
vol -f file.dmp windows.mutantscan[.MutantScan]
```

#### Timeline

```bash
vol -f file.dmp timeLiner[.TimeLiner]
```

Drivers

```bash
vol -f file.dmp windows.driverscan[.DriverScan]
```

#### Liens symboliques

```bash
vol -f file.dmp windows.symlinkscan[.SymlinkScan]
```

#### Dump

```bash
vol -f file.dmp windows.filescan[.FileScan]
vol -f file.dmp windows.dumpfiles.DumpFiles [--physaddr <0xAAAAA>] 
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://blog.s1rn3tz.ovh/computer-forensic/memoire-volatile.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.